Use Anti-DDoS Origin with Server Load Balancer
Deploying a Server Load Balancer (SLB) instance in front of your origin server offers stronger protection than enabling Anti-DDoS Origin directly on the server. This topic describes how to deploy an SLB instance for your web services on an ECS instance and then enable Anti-DDoS Origin.
Prerequisites
-
You have created an ECS instance and deployed your applications. For more information, see Get started.
-
You have purchased an Anti-DDoS Origin instance. For more information, see Purchase an Anti-DDoS Origin instance.
Background information
When you use Anti-DDoS Origin to protect web services, we recommend deploying a Server Load Balancer (SLB) instance in front of the ECS instance that hosts your services. Then, add the IP address of the SLB instance as a protected object in Anti-DDoS Origin. This configuration allows the SLB instance to discard traffic on protocols and ports that do not have a configured listener, significantly enhancing the origin server's resistance to DDoS attacks. This deployment is highly effective against various types of DDoS attacks, such as SSDP, NTP, and Memcached reflection attacks, UDP floods, and large-packet SYN floods.
-
If a Server Load Balancer instance is already deployed for your origin server, you only need to add its IP address as a protected object in Anti-DDoS Origin. For more information, see Protected objects.
-
Server Load Balancer (SLB) includes Application Load Balancer (ALB), Network Load Balancer (NLB), and Classic Load Balancer (CLB). This topic uses CLB as an example. For more information, see The SLB product family.
Procedure
-
Create an internet-facing Classic Load Balancer (CLB) instance. For details, see Create and manage a CLB instance.
When you create the CLB instance, note the following:
-
Server Load Balancer does not support cross-region deployment. You must select the same region as your ECS instance.
-
Anti-DDoS Origin protects only public IP resources. You must select an internet-facing instance type.
For more information, see Preparations.
After you create the CLB instance, go to the Instances page on the SLB console and record the instance's IP Address (public IPv4 address). You will need this address later when you configure DDoS protection.
-
-
Configure the load balancer instance. For details, see Configure a load balancer instance.
When you configure the load balancer instance, note the following:
-
When you configure the Protocol & Listener, select only the protocols and ports that your application requires. SLB supports TCP, UDP, HTTP, and HTTPS. Traffic for protocols and ports that do not have a configured listener is discarded and not forwarded to the backend ECS instances.
-
When you add Backend Servers, select the ECS origin servers where your applications are deployed.
NoteCLB communicates with backend ECS instances over the internal network. After you configure the load balancer and verify that it works as expected, we recommend disabling public internet access for your backend ECS instances.
After you configure the load balancer instance, it distributes client requests to the backend ECS instances based on your configuration.
-
-
Update the DNS settings for your domain.
-
If your service is accessed by IP address, use the IP address of the CLB instance from Step 1 as your service IP address. You can then skip this step.
-
If your service is accessed by a domain name, update the A record for your domain to point to the IP address of the CLB instance from Step 1. For more information, see Set up an A record.
-
-
Add the IP address of the CLB instance as a protected object in your Anti-DDoS Origin instance to enable DDoS protection for the load balancer. For details, see Protected objects.
After you add the protected object, the origin server behind the CLB instance benefits from the best-effort protection provided by Anti-DDoS Origin. When Anti-DDoS Origin detects a DDoS attack, it automatically triggers traffic scrubbing.